Month: May 2010

As tensions flare on the Korean Peninsula one can only assume that the infamous N. Korean hackers are hard at work. For a long time N. Korean hackers have been very active attacking US and S. Korean sites. N. Korea has specifically trained cyber warriors and some reports say that the N. Koreans are getting very good at what they do and are increasing their attacks.

Attacks on South Korean data networks were up 20 percent last year, with hundreds of serious attempts each day, to hack in and steal defense secrets. More North Korean locations are showing up as the source of these attacks. This appears to solve the growing mystery about what the mysterious North Korean Cyber War units were up to.

The North Korean hackers are very stealthy, but this may be due to the fact that they get their internet connections from China and could just be masquerading as Chinese hackers. Could some of our attacks that we blame on China actually be from N. Korea?

Also, it appears that North Korea, like China, is moving its core IT systems to a modified Unix Operating System called “Red Star”. So what is this closely guarded secure OS like? Well, according to an article on the BBC, Red Star was discovered when a Russian Blogger bought a copy for $5, well so much for super-secret. Even here they are like China, much had been made about the secrecy of the Chinese “Kylin” secure OS, but the software could be downloaded from a Chinese site (Not sure who would be crazy enough to do that) and after being analyzed appeared to be just a modified version of FreeBSD.

According to reports, Red Star has a Windows XP style interface, uses open source versions of Microsoft Office software (OpenOffice I assume), and uses Pigeon for e-mail and Firefox for surfing. And according to the BBC, “The Red Star operating system uses a popular Korean folk song as its start-up music and numbers years using a calendar which starts counting from the birth of state founder Kim Il-sung, making 2010 the 99th year.” When this is analyzed, I would not be surprised if it too turns out to be FreeBSD under the hood.

North Korea tends to be an extension of China. I remember watching a report where a few western journalists tried to get access into N. Korea. When they could not get the permission to enter, they heard that they might be able to get into N. Korea from China. They went to China and not only got passes to enter N. Korea but got tours and everything.

As things unfold on the peninsula, and time passes, more information will be released about the N. Korean hacker activity.

On Wednesday, Symantec discovered a server that contained a flat file with 44 million stolen gaming credentials. The credentials were from online gaming sites and also game hosting servers.

Hackers turn around and sell the stolen game credentials for cash. But, knowing that unused or closed accounts are of no value, these hackers wrote an intelligent process to check to see if the accounts were valid. Using the processing power of a botnet, they ran a process that validated each and every one of the 44 million game credentials. Symantec calls this process the Trojan.Loginck:

Most botnets have the ability to download and run files, so why not push a custom piece of malware to each bot? The malware could log on to the database and download a group of user names and passwords in order to check them for validity.

If the Trojan succeeds in its task of logging in, it will update the database with the time it logged in and any user credentials (such as current game level, etc.) before moving to the next user name and password. The attackers can then log on to the database and search for the valid user name and password combinations.

Some of the credentials found in the file were from the online games World of Warcraft, and Aion. A list of affected game publishers can be found on Symantec’s website. Symantec recommends that you make sure your virus definitions are up to date and also to change your online game passwords to defend against this attack.

Okay, it’s only been 6 months, but it has really gone by fast. In June, Cyberarms turns 6 months old. I just wanted to take a second and thank everyone for visiting and sharing your thoughts. Our first month together saw 36 visitors. We now have about 20,000 visitors a month!

I am really pleasantly surprised. I have just shared things that I thought interesting; I am glad that others seem to enjoy these things too. I would like to invite everyone to please share your thoughts and comments. The field of computer security is very interesting, and there is always something new, let’s learn together!

We do have a large amount of comments automatically blocked by the spam filter. If you have placed a comment and it does not show up, I apologize. Please contact me; the spam guard probably blocked it.

One last thing, please let me know what you want to see on Cyberarms. Be it more technical articles, reviews, news, etc., all requests will be considered. If you have any questions, comments, or just want to introduce yourself, I can be reached at cyberarms(at)live.com.

The US Cyber Command (CYBERCOM) has officially become operational this week. And they may already be looking at expanding their duties. According to a Wired.com article today, Cyber Command may be tasked with not just protecting government systems, but civilian also:

“At a gathering this week of top cybersecurity officials and defense contractors, the Pentagon’s number two floated the idea that the Defense Department might start a protective program for civilian networks, based on a deeply controversial effort to keep hackers out of the government’s pipes.”

CYBERCOM is responsible for securing and defending military ‘cyber space’ and the Department of Homeland Security (DHS) is tasked with civilian cyber security issues. Currently, it is against federal law for a civilian to counter attack a malicious hacker. With the vast number of civilian assets and the flood of electronic intrusions, it just makes sense to give the DHS some help.

The government is creating automated systems to help defend cyberspace. Einstein 2 detects threats as they occur and the new Einstein 3 will be able to detect attacks as they develop and immediately notify the NSA. Privacy issues have been raised over these automated systems that inspect several different communication layers for keywords and signatures. The Einstein system has been offered to AT&T, and if collaboration continues, may be available to other civilian entities as well.